Database-Modifying Malware Narilam a Corporate Sabotage Tool

Researchers have uncovered a new malware that modified corporate databases targeting Middle East systems, but the sample appears to be a form of corporate sabotage rather than a cyber-weapon on the scale of Stuxnet.

The malware, discovered Nov. 15 and dubbed W32.Narilam by Symantec, appears to be targeting and modifying corporate databases in the Middle East, Shunichi Imano, a Symantec security researcher, wrote on the Symantec Connect blog. At first glance, Narilam is very similar to other network worms, as it copies itself onto infected machines, adds registry keys, and propagates itself through removable drives and network shares.

Narilam is "unusual" because it can update Microsoft SQL databases over the Object Linking and Embedding Database (OLEDB) protocol, Imano said. The worm specifically targets SQL databases with three distinct names, alim, maliran, and shahd. Once the targeted databases are found, Narilam looks for specific objects and tables and either deletes the tables or replaces items with random values, Imano said.

The malware "appears to be programmed specifically to damage the data held within the targeted database," Imano wrote

How Big a Threat Is It?The bulk of the infections thus far have been found in the Middle East, particularly Iran and Afghanistan, although infections have been reported in the United States and the United Kingdom. The malware appeared to have been created between 2009 and 2010, according to Kaspersky Lab's Global Research and Analysis Team. While "about 80 incidents" have been recorded over the past two years, the fact that just six infections were reported in the past month suggests the malware is "probably almost extinct," the researchers wrote on SecureList.

Gauss and Flame also were discovered earlier this year targeting systems in the Middle East. However, Narilam does not appear to have any information-stealing capabilities. Kaspersky Lab did not find any "obvious connection" between Narilam and Duqu, Stuxnet, Flame, and Gauss. Narilam was developed using Borland C++ Builder 6, while the others used various versions of Microsoft Visual C, according to the post.

Iran's Computer Emergency Response Team also warned against comparing Narilam with Stuxnet, Duqu, and Flame in a statement, claiming Narilam was not "a major threat, nor a sophisticated piece of computer malware." It was previously detected in 2010, and appears able to corrupt only the database included in a small business accounting software developed by an unnamed Iranian company, CERT said.

"The simple nature of the malware looks more like a try to harm the software company reputation among their customers," Iran-CERT said.

Narilam is "not a threat for general users," according to the CERT statement, but customers of that particular software package should make backups of their database and scan their systems with updated antivirus products.

Corporate Sabotage ToolKaspersky Lab uncovered an alert from an Iranian company named "TarrahSystem" claiming Narilam was targeting their software. It appears Maliran (Integrated Financial and Industrial Applications), Amin (Banking and Loans Software), and Shahd (Integrated Financial/Commercial Software) are all TarrahSystem products.

Within the targeted databases, Narilam looks for tables and objects with financial-related names such as BankCheck, A_Sellers, and buyername. Persian words such as Pasandaz, (savings), Hesabjari (current account) R_DetailFactoreForosh (forosh means sale), End_Hesab (hesab means account) and Vamghest (installment loans) are also on the list of terms Narilam recognizes.

The malware modified the following objects: Asnad.SanadNo (sanad means document), Asnad.LastNo, Asnad.FirstNo, and Pasandaz.Code, refcheck.amount, and buyername.Buyername. Narilam also deletes the following tables: A_Sellers, person, and Kalamast.

"Unless appropriate backups are in place, the affected database will be difficult to restore," Symantec's Imano warned.

Even if this particular malware sample winds up not being a major threat, the fact remains that malware authors can always modify existing samples to attack new targets. In fact, Kaspersky Lab uncovered several other variants with the same functionality and method of replication. Corporations need to make sure they maintain regular backups of databases and other critical systems in order to protect themselves from these kind of attacks.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service

//Stay Connected

Get Product Reviews, Deals, & the Latest News from PCMag

sign up

Plus, get a free copy of PCMag for your iPhone or iPad today.

Offer valid for new PCMag app downloads only. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy.

THANK YOU FOR SUBSCRIBING!

Please follow this link (or search for the PC Magazine app on your iPad or iPhone) to get your free issue. Offer valid for new app downloads.

//Featured Programs

//our current issue

Select Term:

24 issues for $29.99 ONLY $1.25 an issue! Lock in Your Savings!

12 issues for $19.99ONLY $1.67 an issue!

State

Country

This transaction is secure

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service